Following 'unusual activity' from China and Saudi Arabia, Twitter reveals user country codes may have leaked

Twitter has discovered what it describes as "unusual activity" stemming from China and Saudi Arabia. The social networking company says that it noticed a large number of enquiries involving a support API coming from individual IP addresses in the two countries.

The discovery came as Twitter investigated a bug in a support form. The problem, Twitter says, dates back to November 15, and it was fixed the next day, but a security researcher says he reported the issue two years ago. As a result of the bug, Twitter says that the country code of users' phone numbers could have been discovered by malicious actors.

Speaking to Reuters, Twitter says that it is possible that the suspicious activity originated from state-sponsored hackers, reiterating a claim made in a public blog post about the matter. Stressing that the problem "did not expose full phone numbers or any other personal data", the company explains that the bug "could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked". It adds that it has contacted users it believes to have been affected.

Since we became aware of the issue, we have been investigating the origins and background in order to provide you with as much information as possible. During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.

As reported by TechCrunch, security researcher Peerzada Fawaz Ahmad Qureshi reported the same bug through Twitter's own bug-reporting program, HackerOne. At the time -- two years ago -- Twitter dismissed the report, saying " we don’t consider the disclosure of a user's country code to be sensitive information at this time".

Issuing what is unlikely to be regarded as the most sincere and heartfelt apology about the bug, Twitter says: "We are sorry this happened".